1 WS-Security Yosi Taguri Microsoft Israel

WS-Security Yosi Taguri Platform Group Microsoft Israel

Agenda WSE Basics Security Tokens IntegrityConfidentiality Making It All Sing Together How do I write WS-Security code faster

Protocol domains AdvancedProtocols Internet Transports Security Messaging Transactions Metadata SOAP, XML, WSDL Reliable Messaging

Web Service Enhancements WSE offers initial support for new protocols “Close to the metal” implementation Application model left to the developer WSE intended for early adopters Supported, but for 2+1 years Expect to migrate… WSE 2.0 Tech Preview now available

WSE and interoperability WSE's protocols are not yet widely implemented Some interop with some kits (WebSphere) Does not interop with arbitrary toolkits There is no standard mechanism for describing protocol usage in WSDL Must know what other end of pipe is doing WS-Policy intended to address this WSE most useful in enterprise or with key partners

WSE 1.0 Simple framework layered on ASP.NET Web Services Support for… WS-SecurityWS-Routing/ReferralWS-Attachments/DIME

WSE 2.0 Tech Preview Extended security support WS-SecureConversation, WS-Trust Improved token management Protection from replay attacks New WS-Policy support Extended messaging support WS-Addressing supplants WS-Routing

ASP.NET and WSE ASP.NET provides support for basic Web services Only the base-line protocols Only RPC programming model Web Services Enhancements (WSE) add-on provides advanced features on top of ASP.NET Latest protocols, like WS-Security A messaging programming model

How WSE works Core WSE functionality implemented as input and output filters ClientServer OutputFilters InputFilters InputFilters OutputFilters

What the IO filters do WSE’s input and output filters map protocols to and from SOAP messages Protocol info modeled by SoapContext Output filters use SoapContext info to update outbound message Input filters use inbound message to update SoapContext info

Pipeline SpecificProtocolproperties Output filters SoapWeb-Request Soap-Context BasicSOAPmessage SOAPmessage with protocols applied Output Filter

Pipeline Input filters SpecificProtocolproperties SoapWeb-Response Soap-Context BasicSOAPmessage SOAPmessage with protocols applied Input Filter

The Pipeline Use of IO filters encapsulated by pipeline class Pipeline plumbing used by higher-level proxy/service code Pipeline can be extended with custom filters Pipeline can be configured per-proxy or per- process

Server integration WebServicesExtension uses pipeline to filter SOAP messages Input filters process request messages Output filters process response messages RequestSoapContext.Current exposes protocol settings of last message received ResponseSoapContext.Current exposes protocol settings for next message sent

Pipeline Web Service Server integration WebServicesExtension Http-ResponseSoap-Context Http-Context Http-RequestSoap-Context Input Filter Output Filter HttpContext.Current RequestSoapContext.Current ResponseSoapContext.Current

Proxy integration WebServicesClientProtocol is new proxy base class Output filters process request messages Input filters process response messages RequestSoapContext property exposes protocol settings for next message sent ResponseSoapContext property exposes protocol settings for last message received

Pipeline ProxyClass Proxy integration WebServices-ClientProtocol SoapWeb-Request SoapWeb-Response SoapContext SoapContext RequestSoapContext ResponseSoapContext Output Filter Input Filter

Proxy integration static void Main() { // create WebServicesClientProtocol-derived // proxy class // create WebServicesClientProtocol-derived // proxy class TimeServiceWse proxy = new TimeServiceWse(); TimeServiceWse proxy = new TimeServiceWse(); // WebServiceClientProtocol gives pipeline // WebServiceClientProtocol gives pipeline // a chance to filter messages // a chance to filter messages Console.WriteLine(proxy.GetTime()); Console.WriteLine(proxy.GetTime());}

WS-Security Defines a framework for building security protocols using existing protocols Propagation of security tokens Integrity via XML Signature Confidentiality via XML Encryption Framework designed for end-to-end security of SOAP messages From initial sender, through 0-n intermediaries to ultimate receiver

Security Tokens Tokens represent claims about identity, capabilities, or privileges WS-Security provides constructs for transmitting security tokens Supports text and binary tokens OASIS WS-Security TC producing several token profiles Username/Password, X509, Kerberos, SAML, XrML

Security Tokens

UsernameToken UsernameToken contains a username and password Password is optional and can be passed as plaintext or digest Plaintext is BAD unless token is encrypted Digest not much better, token should still be encrypted Best to encrypt token for recipient By default authenticated with windows Only capable to Sign and not Encrypt

Where are we Authentication and Authorization is tightly coupled in WSE and integrated with windows Messages are still unsigned

Message Integrity How do you know message has not been altered? Bad guy could copy token into another message Bad guy could altering timestamp, headers, body of message Parts of a message can be signed to ensure integrity Based on XML Signature (XMLDSIG)

Integrity, sender I want to send a SOAP message and ensure that the body is not modified I generate a digest of the SOAP body I generate a signature over the digest (and some other info) using my private key I include my public key in a security token

Integrity, receiver You want to check that the body of the message was not modified You generate a digest for the SOAP body You compare your digest and the one in the message You check that the signature is valid using my public key As a side-effect, you know the message was from me

Message confidentiality How do you know message hasn't been read? Bad guy can read XML payload anywhere along the wire Parts of a message can be encrypted to ensure confidentiality Based on XML Encryption (XMLENC)

I want to send a SOAP message and ensure that only you can read the content of the body I generate a symmetric key I encrypt that key using your public key I encrypt the content of the body using the symmetric key I include both the encrypted data and encrypted key in the message Confidentiality, sender

Confidentiality, receiver You want to read the encrypted content of the body You decrypt the symmetric key using your private key You decrypt the content of the body using the symmetric key

Trust

Validating a Security Token

Using An Issued Security Token

Secure Conversation

Policy

Summary Not all security tokens are created equal Make sure your tokens can do what you want them to do Design with WSE in mind – it is the future Soap, Soap, Soap

Resources MSDN Web Services Developer Center

Questions?

© Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.